Hacking of Jeep's electronics stokes fears over vehicle monitoring

The fleet-management technology from Geotab, founded by Neil Cawse, helps companies see whether the driver is wearing a seat belt, whether the service-engine light is on and how fast the vehicle is travelling.

Each week, we seek expert advice to help a small or medium-sized business overcome a key issue.

Next time you receive a package via UPS, know that the delivery van arrived using the most efficient route possible, thanks to technology from an Oakville, Ont.-based company.

On top of that, the seven-centimetre box from Geotab Inc. monitors fuel consumption and helps improve road safety.

Story continues below advertisement

Geotab's fleet-management boxes have been installed in more than 550,000 vehicles worldwide, including United Parcel Service's fleet, every PepsiCo Inc. vehicle and some police departments in the United States and Canada.

"Pepsi reduced their number of accidents by around 36 to 38 per cent," says Neil Cawse, who founded Geotab in 2000 after moving to Canada from his native South Africa. He is now its chief executive officer.

By plugging the device into a vehicle's diagnostics port, Geotab can see whether the driver is wearing a seat belt, whether the service-engine light is on and how fast the vehicle is travelling in relation to the posted speed limit.

The company can also pool data and identify dangerous spots on the roads, such as accident-prone intersections or bridges that become icy in winter. "If we can make that data publicly available to the towns and provinces to actually get something done about it, that's another great milestone that we're working toward," Mr. Cawse says.

Geotab is offered mostly through resellers such as Telus Corp. and Rogers Communications Inc. in Canada and Sprint and Verizon in the United States. The company has 215 employees and is growing at about 15 per cent a year, he says. Geotab charges resellers about $50 per device, and clients pay $20 to $25 a month per vehicle to generate reports from the collected data. Annual revenue for Geotab stands at about $100-million.

Mr. Cawse wants to have his devices in 1 million vehicles by the end of 2017. But that could hinge on how these kinds of products are viewed by the public. A number of high-profile hacking cases, such as the one on Jeep vehicles last year, have changed opinions on telematics. (In the Jeep incident, a hacker was able to gain control of vital functions of the vehicle, making it stop unexpectedly on a busy highway, for instance.)

Though Geotab is working with SAE International (Society of Automotive Engineers), the United States' Department of Transportation and the Department of Homeland Security and others to come up with a cybersecurity standard for telematics, that effort won't pay dividends until perhaps three or four years out.

For Geotab to almost double the size of its customer base by the end of the year may be ambitious. However, if it targets large businesses or partners with a vehicle manufacturer it may be able to achieve its goal.

Story continues below advertisement

Many high-profile security breaches have originated through third parties and business partners. Businesses more than ever are scrutinizing the security of technology during their procurement processes. For telematics, as long as the technology does not have the ability to control vehicle settings, there is no inherent physical safety risk to the occupants of the vehicle. Geotab may benefit by having its product and technology certified to security standards including Common Criteria or ISO 27001. Companies will often look for certifications to provide a level of assurance that products are secure and their business partners have adequate security practices.

Nicholas Johnston, professor in the School of Applied Computing, Sheridan College, Oakville, Ont.

I noticed on the company's website that there's absolutely no mention of whether this device is secure. That's a primary concern when you see someone wanting to plug a device into your vehicle.

Geotab should address security in their marketing material and on their website first off. Then they can state that they get regular assessments of both their software and hardware. When was the last time its large Web platform had a penetration test? Has anybody actually assessed the embedded device that goes into the vehicle?

A really quick and easy way is to implement a program that in security we call a bug bounty. The idea is you offer financial incentive for anybody to report security vulnerabilities in your products. Facebook does it, Yahoo does it. Basically then you're drawing all the people with the skills to assess your technology and work with you rather than against you. It ends up being really cheap and it's something that can be implemented quickly and efficiently.

Part of the challenge for a logistics company is that its fleet consists of a wide range of vehicles. Different manufacturers, different years, different model types. That means they are managing a fleet with various levels of internal security in the vehicles themselves.

There's an opportunity for someone to provide not only a more consistent level of security but also a single point of management of that security. He should take this as an opportunity instead of a headwind. Telematics can offer a single point of access to all your vehicles at one time. We can also build a single point of security and management of that security for an entire fleet. He takes it from being an issue to a benefit of his product, and if he can do that, then the more concerned people get about hacking, the more they want the product.

THREE THINGS THE COMPANY COULD DO NOW

Focus on your own security

Your platform should be as impeccable as it can be.

Make customers aware

Get the message out that Geotab is conscious of security by displaying it on the company website and marketing materials.

Get certified

By providing proof that its systems and software have certifiable security, customers will be more comfortable with the products.

Tickers mentioned in this story

Data UpdateUnchecking box will stop auto data updates

Comments

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

All comments will be reviewed by one or more moderators before being posted to the site. This should only take a few moments.

Treat others as you wish to be treated

Criticize ideas, not people

Stay on topic

Avoid the use of toxic and offensive language

Flag bad behaviour

Comments that violate our community guidelines will be removed. Commenters who repeatedly violate community guidelines may be suspended, causing them to temporarily lose their ability to engage with comments.

Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.